Closing Security Gaps in Mobile Apps With Source Code Protection
September 29th, 2020 | By Pedro Fortuna | 3 min read
Close security gaps. Stay ahead of attackers and cybercriminals with source code protection.
The Department of Justice and the Federal Trade Commission have been issuing more scam alerts since the pandemic outbreak. Attackers create apps that use the same branding as official government apps and distribute these copycats via unofficial channels.
In June, Canadians were tricked into installing a fake COVID-19 contact tracing app that, despite being advertised as Health Canada, covertly installed ransomware, encrypting the user’s files and demanding a ransom payment.
Similarly, 12 other fake contact tracing apps in South America, Europe, and Asia were also found to be installing Trojan horses on users’ devices and stealing their credentials and other sensitive data.
But contact tracing programs are an example of the many apps developed by public- and private-sector teams that have been imitated or breached by attackers.
Often, the app developers must meet strict deadlines and may end up putting security on the back burner, intending to address it later.
Application security guidelines
Security is critical for any application that handles sensitive user information. Personally identifiable information is valuable to attackers, and it takes just one security gap for an app to facilitate a data breach. For government apps, this can have countrywide ramifications.
What can be done to ensure in-depth security?
First and foremost, these applications, especially government-backed apps, must always undergo strict independent security audits before being released. This process should start as early as possible in the software development lifecycle.
1. Mobile Security Testing Guide
Development teams should follow well-established application security guidelines, namely the Open Web Application Security Project’s (OWASP) Mobile Security Testing Guide. This guidance describes several possible attack vectors and urges teams to ensure the app is not vulnerable on any of its many fronts.
2. Source Code Protection
Another security concern is source code protection. When apps are released, their source code is typically shipped in plain text, exposed to the eyes of users and attackers alike.
This poses a significant security risk mentioned in the ISO 27001 information security standard, which states that “program source code can be vulnerable to attack if not adequately protected and can provide an attacker with a good means to compromise systems in an often covert manner.”
As stated in the OWASP Mobile Top 10 Security Risks guide, attackers take exposed code to “directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application’s data and resources. This can provide the attacker with a direct method of subverting the intended use of the software for personal or monetary gain".
If attackers have easy access to an app’s source code, they can distribute dozens or hundreds of copycats via third-party websites or apps, tricking users into installing them by exploiting the branding of government agencies.
To counter this and other security liabilities, development teams must look for resilient source code protection that not only obfuscates the source code to hinder reverse engineering but also adds runtime defenses to prevent tampering to thwart copycats and lock attackers out.
With every passing day, attackers go further to grab valuable user data, so development teams must be aware of the responsibility in their hands.
With government-backed apps and the private data of millions, no security risk is too small.
Security Gaps: Jscrambler Source Code Protection
Must read next
September 8, 2014 | By Pedro Fortuna | 4 min read
Source Code Protection in Hybrid Mobile Apps
December 14, 2020 | By Pedro Fortuna and Neal Michie | 2 min read